Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250313-en -
resource tags
arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 20:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe
Resource
win7-20240729-en
windows7-x64
7 signatures
150 seconds
General
-
Target
53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe
-
Size
458KB
-
MD5
9683bfdccf3ba351ee2d0e45d1ea2f45
-
SHA1
007580a6470dbd24a7b3f9446131f132d8107506
-
SHA256
53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40
-
SHA512
6c7a63b50d39f65117afda202ec37dbfe061631b7821c2fa8f858deb6b960e4f650bdc87880c6b9dc3be4928d4002c1c46f0f869761b9500dcefed105cfb0e81
-
SSDEEP
6144:8cm7ImGddXmNt251UriZFwfsDX2UznsaFVNJCMKAbebC:q7Tc2NYHUrAwfMp3CDO
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 63 IoCs
resource yara_rule behavioral2/memory/4360-6-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/8-14-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1588-12-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5500-18-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5488-31-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1732-36-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1908-42-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3980-48-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2688-55-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4624-63-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3192-70-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4864-81-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4660-87-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4792-94-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5448-98-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1404-102-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4968-110-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/932-126-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4088-130-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4512-140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1004-138-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3292-145-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/6108-155-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3624-162-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3684-169-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5688-183-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2452-189-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2940-193-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2588-206-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3536-213-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2528-232-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/696-236-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5092-243-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5300-250-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4552-257-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/184-262-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3116-273-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1044-271-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5948-279-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1580-286-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2096-293-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/644-307-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1264-326-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/884-333-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4712-349-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4868-356-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5020-375-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3736-385-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2984-395-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2912-402-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4772-413-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/512-435-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5180-448-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5664-503-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/2596-546-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/532-583-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/5944-605-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1964-630-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4160-637-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/3792-901-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/1572-971-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4944-1140-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon behavioral2/memory/4892-1823-0x0000000000400000-0x000000000042A000-memory.dmp family_blackmoon -
Executes dropped EXE 64 IoCs
pid Process 1588 fxffffx.exe 8 9pjvj.exe 5500 xrxrrlr.exe 5488 dvvpj.exe 1732 hhhbtt.exe 1908 jjjdp.exe 3980 thnhnb.exe 884 1vdvj.exe 2688 fxxxffl.exe 4624 nbntht.exe 3192 ttbnhh.exe 4696 vvddv.exe 4864 bhhbbb.exe 4660 nhnhtt.exe 4792 llxrrrr.exe 5448 hhtnhb.exe 1404 rlfxrlf.exe 4968 5hbnbt.exe 4856 ppvvv.exe 2332 7rffxxr.exe 932 rfflfxr.exe 4088 jppdp.exe 4512 xllfrrl.exe 1004 jvdvv.exe 3292 rflxrll.exe 6108 nhbntn.exe 3624 7xxlxrl.exe 3684 htthbt.exe 6076 pdjjd.exe 5772 lrfrfrx.exe 5688 xlrfrrf.exe 2452 pdpdp.exe 2940 fllxxrf.exe 4672 htbbbt.exe 2240 dppdp.exe 6136 llxlrfl.exe 2588 5tbbbb.exe 4392 vddpd.exe 3536 rfxlxrf.exe 6120 lxxrllr.exe 1220 thhtnb.exe 1260 pdjvj.exe 3860 pvdjj.exe 2368 1lxrfxf.exe 2528 hbthtn.exe 696 1jdpp.exe 3972 dpjvp.exe 5092 xfflfll.exe 5568 nbbhtn.exe 5300 ththht.exe 3172 dpvpd.exe 4552 lrxlrlx.exe 184 7xxfrlf.exe 4204 5nnhhb.exe 1632 jjppd.exe 3116 xffrfxl.exe 1044 1llxllf.exe 5948 5bbnht.exe 1576 djjvp.exe 1580 frlxlfx.exe 3772 tbbnbt.exe 2096 pddvj.exe 1456 3lfxllx.exe 4288 nhhtnn.exe -
resource yara_rule behavioral2/memory/4360-6-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/8-14-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1588-12-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5500-18-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5488-25-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5488-31-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1732-36-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1908-42-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3980-48-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2688-55-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4624-63-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3192-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4864-81-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4660-87-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4792-94-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5448-98-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1404-102-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4968-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/932-126-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4088-130-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4512-140-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1004-138-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3292-145-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6108-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/6108-155-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3624-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3684-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5688-183-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2452-189-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2940-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2588-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3536-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2528-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/696-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5092-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5300-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4552-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/184-262-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3116-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1044-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5948-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1580-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2096-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4288-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/644-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1264-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/884-333-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4712-349-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-356-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5020-375-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3736-385-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2984-395-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4760-403-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2912-402-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4772-413-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/512-435-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5180-448-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5664-503-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2596-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/532-583-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5944-605-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1964-630-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4160-637-0x0000000000400000-0x000000000042A000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bbbnbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rllfxxl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nbbtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xlxrxff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dvdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tnhtnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dpvpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvvdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ntnhth.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tntnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xflrxlr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hhthbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jvdvj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pddvv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language btbtnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7nnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfrlxlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pjdvp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nnnhbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4360 wrote to memory of 1588 4360 53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe 88 PID 4360 wrote to memory of 1588 4360 53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe 88 PID 4360 wrote to memory of 1588 4360 53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe 88 PID 1588 wrote to memory of 8 1588 fxffffx.exe 89 PID 1588 wrote to memory of 8 1588 fxffffx.exe 89 PID 1588 wrote to memory of 8 1588 fxffffx.exe 89 PID 8 wrote to memory of 5500 8 9pjvj.exe 90 PID 8 wrote to memory of 5500 8 9pjvj.exe 90 PID 8 wrote to memory of 5500 8 9pjvj.exe 90 PID 5500 wrote to memory of 5488 5500 xrxrrlr.exe 91 PID 5500 wrote to memory of 5488 5500 xrxrrlr.exe 91 PID 5500 wrote to memory of 5488 5500 xrxrrlr.exe 91 PID 5488 wrote to memory of 1732 5488 dvvpj.exe 94 PID 5488 wrote to memory of 1732 5488 dvvpj.exe 94 PID 5488 wrote to memory of 1732 5488 dvvpj.exe 94 PID 1732 wrote to memory of 1908 1732 hhhbtt.exe 95 PID 1732 wrote to memory of 1908 1732 hhhbtt.exe 95 PID 1732 wrote to memory of 1908 1732 hhhbtt.exe 95 PID 1908 wrote to memory of 3980 1908 jjjdp.exe 96 PID 1908 wrote to memory of 3980 1908 jjjdp.exe 96 PID 1908 wrote to memory of 3980 1908 jjjdp.exe 96 PID 3980 wrote to memory of 884 3980 thnhnb.exe 97 PID 3980 wrote to memory of 884 3980 thnhnb.exe 97 PID 3980 wrote to memory of 884 3980 thnhnb.exe 97 PID 884 wrote to memory of 2688 884 1vdvj.exe 99 PID 884 wrote to memory of 2688 884 1vdvj.exe 99 PID 884 wrote to memory of 2688 884 1vdvj.exe 99 PID 2688 wrote to memory of 4624 2688 fxxxffl.exe 100 PID 2688 wrote to memory of 4624 2688 fxxxffl.exe 100 PID 2688 wrote to memory of 4624 2688 fxxxffl.exe 100 PID 4624 wrote to memory of 3192 4624 nbntht.exe 102 PID 4624 wrote to memory of 3192 4624 nbntht.exe 102 PID 4624 wrote to memory of 3192 4624 nbntht.exe 102 PID 3192 wrote to memory of 4696 3192 ttbnhh.exe 103 PID 3192 wrote to memory of 4696 3192 ttbnhh.exe 103 PID 3192 wrote to memory of 4696 3192 ttbnhh.exe 103 PID 4696 wrote to memory of 4864 4696 vvddv.exe 104 PID 4696 wrote to memory of 4864 4696 vvddv.exe 104 PID 4696 wrote to memory of 4864 4696 vvddv.exe 104 PID 4864 wrote to memory of 4660 4864 bhhbbb.exe 105 PID 4864 wrote to memory of 4660 4864 bhhbbb.exe 105 PID 4864 wrote to memory of 4660 4864 bhhbbb.exe 105 PID 4660 wrote to memory of 4792 4660 nhnhtt.exe 107 PID 4660 wrote to memory of 4792 4660 nhnhtt.exe 107 PID 4660 wrote to memory of 4792 4660 nhnhtt.exe 107 PID 4792 wrote to memory of 5448 4792 llxrrrr.exe 108 PID 4792 wrote to memory of 5448 4792 llxrrrr.exe 108 PID 4792 wrote to memory of 5448 4792 llxrrrr.exe 108 PID 5448 wrote to memory of 1404 5448 hhtnhb.exe 109 PID 5448 wrote to memory of 1404 5448 hhtnhb.exe 109 PID 5448 wrote to memory of 1404 5448 hhtnhb.exe 109 PID 1404 wrote to memory of 4968 1404 rlfxrlf.exe 110 PID 1404 wrote to memory of 4968 1404 rlfxrlf.exe 110 PID 1404 wrote to memory of 4968 1404 rlfxrlf.exe 110 PID 4968 wrote to memory of 4856 4968 5hbnbt.exe 111 PID 4968 wrote to memory of 4856 4968 5hbnbt.exe 111 PID 4968 wrote to memory of 4856 4968 5hbnbt.exe 111 PID 4856 wrote to memory of 2332 4856 ppvvv.exe 112 PID 4856 wrote to memory of 2332 4856 ppvvv.exe 112 PID 4856 wrote to memory of 2332 4856 ppvvv.exe 112 PID 2332 wrote to memory of 932 2332 7rffxxr.exe 113 PID 2332 wrote to memory of 932 2332 7rffxxr.exe 113 PID 2332 wrote to memory of 932 2332 7rffxxr.exe 113 PID 932 wrote to memory of 4088 932 rfflfxr.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe"C:\Users\Admin\AppData\Local\Temp\53df8220bc38607147b39face1985dbb22914a172749c880601e332d2a1b5e40.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
\??\c:\fxffffx.exec:\fxffffx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588 -
\??\c:\9pjvj.exec:\9pjvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:8 -
\??\c:\xrxrrlr.exec:\xrxrrlr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5500 -
\??\c:\dvvpj.exec:\dvvpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5488 -
\??\c:\hhhbtt.exec:\hhhbtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732 -
\??\c:\jjjdp.exec:\jjjdp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908 -
\??\c:\thnhnb.exec:\thnhnb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
\??\c:\1vdvj.exec:\1vdvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884 -
\??\c:\fxxxffl.exec:\fxxxffl.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
\??\c:\nbntht.exec:\nbntht.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
\??\c:\ttbnhh.exec:\ttbnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
\??\c:\vvddv.exec:\vvddv.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4696 -
\??\c:\bhhbbb.exec:\bhhbbb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
\??\c:\nhnhtt.exec:\nhnhtt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4660 -
\??\c:\llxrrrr.exec:\llxrrrr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
\??\c:\hhtnhb.exec:\hhtnhb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5448 -
\??\c:\rlfxrlf.exec:\rlfxrlf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
\??\c:\5hbnbt.exec:\5hbnbt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
\??\c:\ppvvv.exec:\ppvvv.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
\??\c:\7rffxxr.exec:\7rffxxr.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
\??\c:\rfflfxr.exec:\rfflfxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
\??\c:\jppdp.exec:\jppdp.exe23⤵
- Executes dropped EXE
PID:4088 -
\??\c:\xllfrrl.exec:\xllfrrl.exe24⤵
- Executes dropped EXE
PID:4512 -
\??\c:\jvdvv.exec:\jvdvv.exe25⤵
- Executes dropped EXE
PID:1004 -
\??\c:\rflxrll.exec:\rflxrll.exe26⤵
- Executes dropped EXE
PID:3292 -
\??\c:\nhbntn.exec:\nhbntn.exe27⤵
- Executes dropped EXE
PID:6108 -
\??\c:\7xxlxrl.exec:\7xxlxrl.exe28⤵
- Executes dropped EXE
PID:3624 -
\??\c:\htthbt.exec:\htthbt.exe29⤵
- Executes dropped EXE
PID:3684 -
\??\c:\pdjjd.exec:\pdjjd.exe30⤵
- Executes dropped EXE
PID:6076 -
\??\c:\lrfrfrx.exec:\lrfrfrx.exe31⤵
- Executes dropped EXE
PID:5772 -
\??\c:\xlrfrrf.exec:\xlrfrrf.exe32⤵
- Executes dropped EXE
PID:5688 -
\??\c:\pdpdp.exec:\pdpdp.exe33⤵
- Executes dropped EXE
PID:2452 -
\??\c:\fllxxrf.exec:\fllxxrf.exe34⤵
- Executes dropped EXE
PID:2940 -
\??\c:\htbbbt.exec:\htbbbt.exe35⤵
- Executes dropped EXE
PID:4672 -
\??\c:\dppdp.exec:\dppdp.exe36⤵
- Executes dropped EXE
PID:2240 -
\??\c:\llxlrfl.exec:\llxlrfl.exe37⤵
- Executes dropped EXE
PID:6136 -
\??\c:\5tbbbb.exec:\5tbbbb.exe38⤵
- Executes dropped EXE
PID:2588 -
\??\c:\vddpd.exec:\vddpd.exe39⤵
- Executes dropped EXE
PID:4392 -
\??\c:\rfxlxrf.exec:\rfxlxrf.exe40⤵
- Executes dropped EXE
PID:3536 -
\??\c:\lxxrllr.exec:\lxxrllr.exe41⤵
- Executes dropped EXE
PID:6120 -
\??\c:\thhtnb.exec:\thhtnb.exe42⤵
- Executes dropped EXE
PID:1220 -
\??\c:\pdjvj.exec:\pdjvj.exe43⤵
- Executes dropped EXE
PID:1260 -
\??\c:\pvdjj.exec:\pvdjj.exe44⤵
- Executes dropped EXE
PID:3860 -
\??\c:\1lxrfxf.exec:\1lxrfxf.exe45⤵
- Executes dropped EXE
PID:2368 -
\??\c:\hbthtn.exec:\hbthtn.exe46⤵
- Executes dropped EXE
PID:2528 -
\??\c:\1jdpp.exec:\1jdpp.exe47⤵
- Executes dropped EXE
PID:696 -
\??\c:\dpjvp.exec:\dpjvp.exe48⤵
- Executes dropped EXE
PID:3972 -
\??\c:\xfflfll.exec:\xfflfll.exe49⤵
- Executes dropped EXE
PID:5092 -
\??\c:\nbbhtn.exec:\nbbhtn.exe50⤵
- Executes dropped EXE
PID:5568 -
\??\c:\ththht.exec:\ththht.exe51⤵
- Executes dropped EXE
PID:5300 -
\??\c:\dpvpd.exec:\dpvpd.exe52⤵
- Executes dropped EXE
PID:3172 -
\??\c:\lrxlrlx.exec:\lrxlrlx.exe53⤵
- Executes dropped EXE
PID:4552 -
\??\c:\7xxfrlf.exec:\7xxfrlf.exe54⤵
- Executes dropped EXE
PID:184 -
\??\c:\5nnhhb.exec:\5nnhhb.exe55⤵
- Executes dropped EXE
PID:4204 -
\??\c:\jjppd.exec:\jjppd.exe56⤵
- Executes dropped EXE
PID:1632 -
\??\c:\xffrfxl.exec:\xffrfxl.exe57⤵
- Executes dropped EXE
PID:3116 -
\??\c:\1llxllf.exec:\1llxllf.exe58⤵
- Executes dropped EXE
PID:1044 -
\??\c:\5bbnht.exec:\5bbnht.exe59⤵
- Executes dropped EXE
PID:5948 -
\??\c:\djjvp.exec:\djjvp.exe60⤵
- Executes dropped EXE
PID:1576 -
\??\c:\frlxlfx.exec:\frlxlfx.exe61⤵
- Executes dropped EXE
PID:1580 -
\??\c:\tbbnbt.exec:\tbbnbt.exe62⤵
- Executes dropped EXE
PID:3772 -
\??\c:\pddvj.exec:\pddvj.exe63⤵
- Executes dropped EXE
PID:2096 -
\??\c:\3lfxllx.exec:\3lfxllx.exe64⤵
- Executes dropped EXE
PID:1456 -
\??\c:\nhhtnn.exec:\nhhtnn.exe65⤵
- Executes dropped EXE
PID:4288 -
\??\c:\hthtth.exec:\hthtth.exe66⤵PID:5844
-
\??\c:\jpvjd.exec:\jpvjd.exe67⤵PID:644
-
\??\c:\xlrflxx.exec:\xlrflxx.exe68⤵PID:4320
-
\??\c:\hthtbh.exec:\hthtbh.exe69⤵PID:4332
-
\??\c:\1vpdj.exec:\1vpdj.exe70⤵PID:2580
-
\??\c:\dddjd.exec:\dddjd.exe71⤵PID:4604
-
\??\c:\xlrxrll.exec:\xlrxrll.exe72⤵PID:2988
-
\??\c:\frxlfxf.exec:\frxlfxf.exe73⤵PID:1264
-
\??\c:\pvjvj.exec:\pvjvj.exe74⤵PID:1484
-
\??\c:\1pjdp.exec:\1pjdp.exe75⤵PID:884
-
\??\c:\9llxlfr.exec:\9llxlfr.exe76⤵PID:4620
-
\??\c:\bnnbtn.exec:\bnnbtn.exe77⤵PID:4628
-
\??\c:\7ddpd.exec:\7ddpd.exe78⤵PID:2316
-
\??\c:\xflrxlr.exec:\xflrxlr.exe79⤵
- System Location Discovery: System Language Discovery
PID:3192 -
\??\c:\frlxlfr.exec:\frlxlfr.exe80⤵PID:4712
-
\??\c:\nttnbt.exec:\nttnbt.exe81⤵PID:3388
-
\??\c:\9btnhh.exec:\9btnhh.exe82⤵PID:4868
-
\??\c:\pvvpv.exec:\pvvpv.exe83⤵PID:4664
-
\??\c:\hhbbbn.exec:\hhbbbn.exe84⤵PID:5788
-
\??\c:\7pdpd.exec:\7pdpd.exe85⤵PID:2888
-
\??\c:\jppdj.exec:\jppdj.exe86⤵PID:4932
-
\??\c:\nhnbnn.exec:\nhnbnn.exe87⤵PID:5380
-
\??\c:\bntbnb.exec:\bntbnb.exe88⤵PID:5020
-
\??\c:\jvdjd.exec:\jvdjd.exe89⤵PID:5112
-
\??\c:\dpvpv.exec:\dpvpv.exe90⤵PID:4972
-
\??\c:\1rlxlfr.exec:\1rlxlfr.exe91⤵PID:3736
-
\??\c:\tbhbtn.exec:\tbhbtn.exe92⤵PID:3892
-
\??\c:\jdvjv.exec:\jdvjv.exe93⤵PID:5544
-
\??\c:\3pjdp.exec:\3pjdp.exe94⤵PID:2984
-
\??\c:\httbbh.exec:\httbbh.exe95⤵PID:5460
-
\??\c:\ddjpj.exec:\ddjpj.exe96⤵PID:2912
-
\??\c:\dpvpd.exec:\dpvpd.exe97⤵
- System Location Discovery: System Language Discovery
PID:4760 -
\??\c:\rfllxfr.exec:\rfllxfr.exe98⤵PID:1932
-
\??\c:\rxfrfxl.exec:\rxfrfxl.exe99⤵PID:4772
-
\??\c:\1nbbnh.exec:\1nbbnh.exe100⤵PID:516
-
\??\c:\jvdvd.exec:\jvdvd.exe101⤵
- System Location Discovery: System Language Discovery
PID:2068 -
\??\c:\pvdpj.exec:\pvdpj.exe102⤵PID:3688
-
\??\c:\xflrlrl.exec:\xflrlrl.exe103⤵PID:2064
-
\??\c:\1hhnht.exec:\1hhnht.exe104⤵PID:4532
-
\??\c:\tthhtn.exec:\tthhtn.exe105⤵PID:4120
-
\??\c:\pppjv.exec:\pppjv.exe106⤵PID:512
-
\??\c:\lllfllx.exec:\lllfllx.exe107⤵PID:3500
-
\??\c:\ntthtb.exec:\ntthtb.exe108⤵PID:5364
-
\??\c:\djjvj.exec:\djjvj.exe109⤵PID:4352
-
\??\c:\dpjjj.exec:\dpjjj.exe110⤵PID:5180
-
\??\c:\xlxrxff.exec:\xlxrxff.exe111⤵
- System Location Discovery: System Language Discovery
PID:792 -
\??\c:\bhbnht.exec:\bhbnht.exe112⤵PID:976
-
\??\c:\bhbthb.exec:\bhbthb.exe113⤵PID:5660
-
\??\c:\pddpv.exec:\pddpv.exe114⤵PID:2868
-
\??\c:\frxlfrf.exec:\frxlfrf.exe115⤵PID:1564
-
\??\c:\bnnbtt.exec:\bnnbtt.exe116⤵PID:3968
-
\??\c:\nnthtn.exec:\nnthtn.exe117⤵PID:2464
-
\??\c:\pjdvp.exec:\pjdvp.exe118⤵
- System Location Discovery: System Language Discovery
PID:2412 -
\??\c:\xffflfx.exec:\xffflfx.exe119⤵PID:2160
-
\??\c:\nbthtb.exec:\nbthtb.exe120⤵PID:5568
-
\??\c:\vddpd.exec:\vddpd.exe121⤵PID:3172
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-